SPF, part 3: configuring Postfix to check SPF records when receiving mail

(for extra fun, read parts 1 and 2 first.)

Now that you know how to configure an SPF record for your domain(s), the natural next step, if you administer an email server, is to start checking SPF records for mails you receive.

Now, spammers are infamous for not respecting rules, not “playing nice”, so, you might ask, what makes me think they’ll set up SPF records for their domains, which would be kind of self-defeating? The obvious answer is that SPF doesn’t depend on the spammers’ collaboration. Since legitimate email senders use SPF to tell the world which servers they use to send email, it prevents others — such as the aforementioned spammers — from faking sender addresses to pretend they’re from those senders / domains.

To put it simply: if there’s an SPF record for the “gmail.com” domain, then you can — and should — reject mail purporting to be from something@gmail.com that doesn’t come from the servers listed in that record. In other words, anyone who fakes a @gmail.com address can’t fool your server, assuming you have it configured to use SPF.

Now, how to do that? There are many ways, of course, depending on the email server you use. The simple recipe below uses postfix-policyd-spf-perl to make Postfix reject mail from domains with properly configured SPF records, when the mail comes from an unauthorized server (that is, one not listed on the record.) This assumes you already have Postfix up and running.

  • install postfix-policyd-spf-perl. In Ubuntu, just do an apt-get install postfix-policyd-spf-perl .
  • add this line to /etc/postfix/main.cf:
    spf-policyd_time_limit = 3600s
  • add the following to /etc/postfix/master.cf:
    policy-spf  unix  -       n       n       -       -       spawn
         user=nobody argv=/usr/bin/policyd-spf

    (change the path of policyd-spf if it’s installed somewhere else; that’s where the Ubuntu package puts it.)

  • in /etc/postfix/main.cf, find the smtpd_recipient_restrictions section, and, immediately after permit_mynetworks (and permit_sasl_authenticated, if you’re using that), add:
    check_policy_service unix:private/policy-spf
  • restart Postfix. Check your logs to see if everything is working properly.

Now, remember when in part 2 I mentioned a lesser-known reason for configuring the SPF record for your domain? It’s this: it’ll stop a lot of incoming spam. These days, a lot of spam email pretends to be from you (that is, it uses your email address as both the “From:” and “To:”), or at least from your domain (e.g. administrator@yourdomain, manager@yourdomain, and so on.) I don’t know why spammers do that, but apparently it works, or else they wouldn’t do it (maybe victims get confused and think the email comes from someone in their company, or maybe webmail services tend — or at least did so once — to trust the user’s own address, I don’t know.) Well, if you have SPF for your domain and your email server checks SPF records for incoming mail, then spam messages such as these will be always rejected, even when other methods of stopping spam (RBL lists, SpamAssassin, etc.) fail. Never again will you receive emails pretending to be from your own address.

Related posts:

  1. SPF, part 1: what is SPF, and how to fight spam with it
  2. SPF, part 2: how to configure SPF for a domain
  3. An Anti-Spam gateway #4: Postfix, part 2
  4. An Anti-Spam gateway #3: Postfix
  5. An Anti-Spam gateway #11: amavisd-new and Postfix

Tags: , , ,

7 Responses to “SPF, part 3: configuring Postfix to check SPF records when receiving mail”

  1. Hello! I simply would like to give an enormous thumbs up
    for the nice information you may have right here on this post.
    I might be coming back to your blog for extra soon.

  2. supplements says:

    We’re a bunch of volunteers and starting a new scheme in our community. Your web site offered us with helpful information to work on. You have performed a formidable job and our entire group shall be thankful to you.

  3. I read this piece of writing completely on the topic of the difference of newest and previous technologies, it’s remarkable article.

    Also visit my website: windows 8.1 kms

  4. ӏn the event the grass is really hard, you aгe able to
    make use of a ρickax to help crack іt up.
    As soon as you’ve got taken off all the grass, you’ll be able to more usе the pickax to interrupt
    up all the large clumps. After you’ve got got almоst all of the big tough stuff broken up, it is ρossible
    tо movе ahead to employing the backyard garden hoe.

    A yard hoe has a modest plate on the finish that yоu
    simply can use to cut up your soіl and filth.

    Also visіt my homepage best garden tillеr (besttiller.com)

  5. Very nice post. I just stumbled upon your weblog and wished to say that I’ve really enjoyed surfing around your blog posts.

    After all I’ll be subscribing to your feed and I hope you write again very soon!

  6. Howdy very nice web site!! Guy .. Excellent .. Superb ..

    I will bookmark your website and take the feeds also?
    I am glad to search out so many useful information here within the submit, we want develop
    more techniques on this regard, thank you for sharing.
    . . . . .

  7. Very nice post. I just stumbled upon your weblog and wished to say that I’ve really enjoyed surfing around your blog posts.
    I read this piece of writing completely on the topic of the difference of newest and previous technologies, it’s remarkable article.
    thank you so much

Leave a Reply

Notify me of followup comments via e-mail. You can also subscribe without commenting.


Creative Commons Attribution-NonCommercial-NoDerivs 2.5 Portugal
This work by Pedro Timóteo is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 2.5 Portugal.